Moving to eliminate the password is something many EUC vendors are working on. So far, I’ve reviewed Microsoft’s four-step roadmap and Google’s passwordless experience, but they are far from the only vendors putting forth products aimed at strengthening authentication or hiding passwords. IdP vendor, Okta, also has offered organizations the ability to enjoy a passwordless experience.
Okta’s passwordless strategy
Every vendor has a philosophy around how they want to improve the login experience. Okta sees a passwordless future as more than just one factor replacing passwords, rather it’s an implementation of non-password factors alongside contextual access, which could bolster security while providing an improved user experience.
Right now, Okta’s passwordless experience revolves around two products, Adaptive MFA and ThreatInsight. With the former, when the user logs in, it determines the risk of allowing them into the application by examining their device (has this device been used before), location (impossible travel), and network. ThreatInsight then analyzes real-time threat data collected by the Okta Integration Network.
With Adaptive MFA and ThreatInsight deployed, Okta says that organizations can go passwordless. It’s important to note that passwords will still exist, but be largely unused. Instead, administrators can configure different factors to be used in their stead (e.g., all the common factors like OTPs, biometrics, etc.). What users are required to use will depend upon the risk analysis from ThreatInsight and Adaptive MFA. For example, maybe employees need to authenticate with the Okta Verify mobile app for most cases, but if the risk level is above a certain threshold, another factor is required alongside it. Additionally, organizations can use Okta Identity Cloud with VMware Workspace ONE.
Okta recently announced HealthInsight, a new feature that sits alongside ThreatInsight, which provides policy recommendations to admins. (Jack covered more about HealthInsight and the other recent news from Okta). One aspect of the recommendations is that it will highlight that SMS isn’t a very strong factor and will suggest a different one be used instead (maybe a hardware key).
After their announcements at Okta Showcase, I asked about any roadmap plans they have for actually eliminating passwords, but unfortunately they had nothing further to share at this time.
It’s good to see that vendors outside the giants in the industry are working to eliminate passwords. I feel we’ll only be able to truly kill passwords when there’s enough options out there for organizations of any size to easily deploy. It’s good to not necessarily have to adopt a solution from one of the EUC giants just to ditch passwords.
I also want to reiterate that reducing our reliance on using passwords on a daily basis is an important first step in eliminating passwords, so Okta is in good company with Microsoft, Google, and even MobileIron. I’m still waiting for the day that I can toss all passwords aside.